gemalto

package
v0.13.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2021 License: AGPL-3.0 Imports: 20 Imported by: 0

Documentation

Overview

Package gemalto implements a key store that fetches/stores cryptographic keys on a Gemalto KeySecure instance.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Credentials 

type Credentials struct {
	Token  string        // The KeySecure refresh token
	Domain string        // The KeySecure domain - similar to a Vault Namespace
	Retry  time.Duration // The time to wait before trying to re-authenticate
}

Credentials represents a Gemalto KeySecure refresh token that can be used to obtain a short-lived authentication token.

A token is valid within either the default root domain (empty) or a specifc domain - e.g. my-domain.

type KeySecure 

type KeySecure struct {
	// Endpoint is the KeySecure instance endpoint.
	Endpoint string

	// CAPath is a path to the root CA certificate(s)
	// used to verify the TLS certificate of the KeySecure
	// instance. If empty, the host's root CA set is used.
	CAPath string

	// Login credentials are used to authenticate to the
	// KeySecure instance and obtain a short-lived authentication
	// token.
	Login Credentials

	// ErrorLog specifies an optional logger for errors.
	// If an unexpected error is encountered while trying
	// to fetch, store or delete a key or when an authentication
	// error happens then an error event is written to the error
	// log.
	//
	// If nil, logging is done via the log package's standard
	// logger.
	ErrorLog *log.Logger
	// contains filtered or unexported fields
}

KeySecure is a Gemalto KeySecure client that stores / fetches key-value pairs as secrets.

It tries to connect to a KeySecure instance at the given endpoint and uses the login credentials to authenticate.

func (*KeySecure) Authenticate 

func (s *KeySecure) Authenticate() (err error)

Authenticate tries to establish a connection to a KeySecure server using the login credentials.

It retruns an error if no connection could be established - for instance because of invalid credentials.

func (*KeySecure) Create 

func (s *KeySecure) Create(key, value string) error

Create creates the given key-value pair at Gemalto if and only if the given key does not exist. If such an entry already exists it returns kes.ErrKeyExists.

func (*KeySecure) Delete 

func (s *KeySecure) Delete(key string) error

Delete removes a the value associated with the given key from Vault, if it exists.

func (*KeySecure) Get 

func (s *KeySecure) Get(key string) (string, error)

Get returns the value associated with the given key. If no entry for the key exists it returns kes.ErrKeyNotFound.

func (*KeySecure) List added in v0.13.0 

func (s *KeySecure) List(ctx context.Context) (secret.Iterator, error)

List returns a new Iterator over the names of all stored keys.

Notes

Bugs

  • The KeySecure server returns 404 NotFound if the secret does not exist but also when we are not allowed to access/delete the secret due to insufficient policy permissions. The reason for this is probably that a client should not be able to determine whether a particular secret exists (if the client has no access to it). Unfortunately, we cannot guarantee anymore that we actually deleted the secret. It could also be the case that we lost access (e.g. due to a policy change). So, in this case we don't return an error such that the client thinks it has deleted the secret successfully.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.